https://community.splunk.com/t5/Security/Google-Workspace/m-p/675647#M17574 <P><SPAN>Hi there,</SPAN></P><P><SPAN>The key is finding those Workspace login logs.</SPAN><SPAN> While the add-on and apps might be installed,</SPAN><SPAN> there could be a filtering or indexing issue.</SPAN></P><P><SPAN>Here's a quick rundown:</SPAN></P><OL><LI><P><STRONG>Check the filter:</STRONG><SPAN> Did you configure any filters that might exclude login events?</SPAN><SPAN> Double-check your inputs.</SPAN><SPAN>conf settings specifically.</SPAN></P></LI><LI><P><STRONG>Look for indexing errors:</STRONG><SPAN> Splunk logs might reveal indexing errors related to Workspace data.</SPAN><SPAN> Check </SPAN>splunkd.log<SPAN> and </SPAN>python.log<SPAN> for clues.</SPAN></P></LI><LI><P><STRONG>Search smarter:</STRONG><SPAN> The provided search might not translate perfectly to Workspace.</SPAN><SPAN> Try broader terms like "google login" or "workspace access" and adjust from there.</SPAN></P></LI></OL><P><SPAN>If you're still stuck,</SPAN><SPAN> I recommend searching Splunkbase forums or reaching out to Splunk or Google Workspace support directly.</SPAN><SPAN> They've seen it all and can offer specific guidance.</SPAN></P><P><SPAN>Remember,</SPAN><SPAN> hunting invaders is like being a detective – persistence and resourcefulness are key!</SPAN></P><P>~ If the reply helps, a Karma upvote would be appreciated</P> Sun, 28 Jan 2024 10:14:45 GMT datadevops 2024-01-28T10:14:45Z https://community.splunk.com/t5/Security/Google-Workspace/m-p/675526#M17572 <P>Hello Every Body.</P><P>&nbsp;</P><P>I'm starting this question be couse i'm traying to genrate detections for goole workspace invader as that post about 365.</P><P>&nbsp;<A href="https://www.splunk.com/en_us/blog/security/hunting-m365-invaders-blue-team-s-guide-to-initial-access-vectors.html" target="_blank" rel="noopener">https://www.splunk.com/en_us/blog/security/hunting-m365-invaders-blue-team-s-guide-to-initial-access-vectors.html</A>.&nbsp;</P><P>But i can not find google work space&nbsp; login logs in actual ingest. We installed&nbsp; the ad-don and newest apps abalaible in the splunkbase and could not find it.</P><P>surfin into the splunk web we could't fund an euivalent searchs as the link attached.&nbsp;</P><P>&nbsp;</P><P>Some bady had the same problem?&nbsp; how can I solved it?&nbsp;</P> Fri, 26 Jan 2024 14:57:06 GMT https://community.splunk.com/t5/Security/Google-Workspace/m-p/675526#M17572 cbarrios 2024-01-26T14:57:06Z https://community.splunk.com/t5/Security/Google-Workspace/m-p/675647#M17574 <P><SPAN>Hi there,</SPAN></P><P><SPAN>The key is finding those Workspace login logs.</SPAN><SPAN> While the add-on and apps might be installed,</SPAN><SPAN> there could be a filtering or indexing issue.</SPAN></P><P><SPAN>Here's a quick rundown:</SPAN></P><OL><LI><P><STRONG>Check the filter:</STRONG><SPAN> Did you configure any filters that might exclude login events?</SPAN><SPAN> Double-check your inputs.</SPAN><SPAN>conf settings specifically.</SPAN></P></LI><LI><P><STRONG>Look for indexing errors:</STRONG><SPAN> Splunk logs might reveal indexing errors related to Workspace data.</SPAN><SPAN> Check </SPAN>splunkd.log<SPAN> and </SPAN>python.log<SPAN> for clues.</SPAN></P></LI><LI><P><STRONG>Search smarter:</STRONG><SPAN> The provided search might not translate perfectly to Workspace.</SPAN><SPAN> Try broader terms like "google login" or "workspace access" and adjust from there.</SPAN></P></LI></OL><P><SPAN>If you're still stuck,</SPAN><SPAN> I recommend searching Splunkbase forums or reaching out to Splunk or Google Workspace support directly.</SPAN><SPAN> They've seen it all and can offer specific guidance.</SPAN></P><P><SPAN>Remember,</SPAN><SPAN> hunting invaders is like being a detective – persistence and resourcefulness are key!</SPAN></P><P>~ If the reply helps, a Karma upvote would be appreciated</P> Sun, 28 Jan 2024 10:14:45 GMT https://community.splunk.com/t5/Security/Google-Workspace/m-p/675647#M17574 datadevops 2024-01-28T10:14:45Z